Skip to main content Skip to complementary content

Obtaining a JWT from Microsoft Entra ID

Procedure

  1. Create an application in Microsoft Entra ID.

    You will have the tenant ID, client ID, client secret and useful endpoints of your application.

    You can get your certificate keys from https://login.microsoftonline.com/<tenant ID>/discovery/v2.0/keys.

  2. Send a POST request using Postman to the URL https://login.microsoftonline.com/<tenant ID>/oauth2/token with your client_id, client_secret.
    The response from this POST request will be the access token and its properties. This access token will be used to send a request to the JWT validation enabled REST services.
  3. Open the https://jwt.io/ website and copy the access token into the Encoded text box.
    You can get the kid value from HEADER properties in the Decoded view.
  4. Open https://login.microsoftonline.com/<tenant ID>/discovery/v2.0/keys in a Web browser.
    You can find the matched key with the same kid value as the access token.
  5. Copy the String value from the x5c field of the matched key and save it to a text file.
  6. Convert the text file to an azure.cer file, for example: 
    -----BEGIN CERTIFICATE-----
MGLqj98VNLoXaFfpJCBpgB4JaKs
-----END CERTIFICATE-----
  7. Import this trusted key into your keystore JKS using Java keytool. 
    keytool -import -keystore servicestore.jks -storepass sspass -alias myAzureKey -file azure.cer -noprompt
    You can find the new key with alias myazurekey in your servicestore.jks via keytool command:
    keytool -list -keystore servicestore.jks

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here